Company undercuts technical safeguards and polish DPA issues fine

Updated: Apr 14, 2020

The President of the personal data protection office has imposed a PLN 2.8 million (ca. 645,000 euros) on

The organisation’s organisational and technical measures for the protection of PII of 2.2 million people had fallen short.

To read the full press release in Polish, click here

The Polish text of the decision is here

While imposing the fine, the supervisory authority concluded that the breach happened in this situation was of substantial significance and significant character, and concerned a big range of people. In its decision, the supervisory authority additionally pointed out that, because of the infringement, there was a high risk of damaging consequences, such as identity theft.

The PII involved covered: name and surname, phone number, email, delivery address. However, in the case of approximately 35,000 people, the data leaked from their instalment loan application. The scope of the data (PESEL number), the series and the number of the identity document, educational background, registered address, source of income, amount of net income, the cost of living of the household, marital status, plus maintenance obligations.

In the decision imposing the fine, the President of personal data protection office (UODO) concluded that the company by failing to conform with the requirement for data protection has breached, among other things, the principle of confidentiality, as set out in Article 5 (1) (f ) of the GDPR. Therefore, it has been unauthorised access to and from customers’ data. The authority considered that unsuccessful measures for the authentication of data access were put in place. The company had implemented additional technical security measures after the breach.

The investigation discovered that the infringement occurred due to ineffective tracking of potential risks. The investigation further discovered other misconduct. However, it was the lack of appropriate technical standards (insufficient safeguards) and organisational measures (on the monitoring of potential risks related to atypical online conduct) that led to imposing a fine. In determining its amount, however, the President of UODO has taken into account such circumstances, such as action taken by the organisation to put an end to the infringement, good cooperation with the controller and the fact that the organisation has not breached the personal data protection law before